module "self_managed_node_group" {
source = "terraform-aws-modules/eks/aws//modules/self-managed-node-group"
name = "separate-self-mng"
cluster_name = aws_eks_cluster.eks.id
cluster_version = "1.22"
cluster_endpoint = aws_eks_cluster.eks.endpoint
cluster_auth_base64 = aws_eks_cluster.eks.certificate_authority[0].data
vpc_id = module.vpc.vpc_id
subnet_ids = [
module.vpc.private_subnets[0],
module.vpc.private_subnets[1],
module.vpc.private_subnets[2],
]
vpc_security_group_ids = [
aws_security_group.node-sg[0].id,
aws_security_group.node-sg[1].id,
aws_security_group.node-sg[2].id
]
min_size = 3
max_size = 6
desired_size = 3
key_name = aws_key_pair.bastion_auth.id
security_group_name = "node-sg"
launch_template_name = aws_launch_template.node.id
instance_type = "t2.micro"
}
resource "aws_security_group" "node-sg" {
count = var.azs
name = "node-security-group-${count.index}"
vpc_id = module.vpc.vpc_id
ingress {
protocol = "tcp"
from_port = 22
to_port = 22
security_groups = [aws_security_group.bastion-sg[count.index].id]
}
egress {
protocol = -1
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
}
我有3个独立的安全组:node-sg[0]node-sg[1]和node-sg[2]。现在在我的self_managed_node_group模块,我唯一可以添加所有3一样:
vpc_security_group_ids = [
aws_security_group.node-sg[0].id,
aws_security_group.node-sg[1].id,
aws_security_group.node-sg[2].id
]
这显然将所有三个安全组分配给部署的每个节点。相反,我想要的是创建的第一个节点使用node-sg[0],第二个节点使用node-sg[1],第三个节点使用node-sg[2],但我不知道如何使其工作
你不能做你想做的,除非你fork并手动修改self-managed-node-group模块。
在源代码中可以看到:
security_group_ids = compact(concat([try(aws_security_group.this[0].id, ""), var.cluster_primary_security_group_id], var.vpc_security_group_ids))
没有针对单个节点迭代var.vpc_security_group_ids的功能。var.vpc_security_group_ids作为一个整体列表,将整个列表分配给每个节点。